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TI Virus detection method for removal of viruses in 

macros - in which file is targetted for virus detection 
according to configuration settings of macro virus 
detection module, and copied into data buffer for analysis. 
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The method for detection and removal of macros involves 
using a virus detection module (206) which determines 
(302) whether a targeted file includes a macro, and where the macro 
is found, locates and decodes (302) it to produce a decoded macro. 
The decoded macro is accessed and scanned (304) to determine whether 
it contains any viruses . 

A macro treating module (310) locates suspect instructions in 
the decoded macro using comparison data for detecting unknown 
macro viruses, which are removed to produce a 

treated macro. A file correcting module (310) accesses a targeted 

file with an infected macro and replaces the 

infected macro with the treated macro 

produced by the treatment module (3 06) . 

USE - Detection and removal of viruses which reside 

in macros . 
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TI Virus checking method for computer word processing application - 

deactivating execution of automatic instruction sequences associated 
with opened file, and detecting and examining instruction sequences 
at file operation. 

DC T01 

IN BENEDIKT, R 

PA (SIEI) SIEMENS AG 

CYC 1 

PI DE 19638143 Al 980319 (9817)* 4 pp G06F012-16 

ADT DE 19638143 Al DE 96-19638143 960918 
PRAI DE 96-19638143 960918 




L2 ANSWER 4 OF 3 0 INSPEC COPYRIGHT 19 98 IEE 
AN 98:5875017 INSPEC DN C98 05 - 613 OS- 042 

TI Macro virus identification problems. 
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AB Computer viruses written in the macro 

programming language of the popular office applications like 
Microsoft Word have become extremely widespread. Unlike the MS-DOS 
viruses which are single entities, the macro 

viruses often consist of entire sets of several independent 
macros. This poses some interesting theoretical problems to the 
virus specific anti virus software that attempts to identify exactly 
the viruses it detects. Two viral sets of macros can have common 
subsets-or one of the sets could be a subset of the other. The paper 
deals with the problems caused by this, some of which are extremely 
difficult, if not impossible to solve. Emphasis is put on how the 
difficulties could be exploited by the virus writers and how the 
anti virus products should be improved in order to be made resistant 
to such attacks and to avoid damaging the user's documents when 
misidentif ying the virus in it and attempting to remove the wrong 
virus variant . 
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TI Norman Virus Control v4.3 0 for Windows 95. 
AU Jackson, K. 
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AB Norman Data Defense Systems alleges that the Norman Virus Control 
(NVC) virus scanner can now detect and remove all known 
macro viruses . It makes the same claim of its 



memory- resident j^gnner . These are bold words, and^fctried to test 
t the product agai^^B them. There are versions of NV(^^^ut this review 

only covers version 4.30 for standalone Windows 95. NVC only missed 
four samples of a single Excel virus and it detected all the other 
macro viruses. However, some of the ways in which 

NVC operates are, to put it mildly, quirky. The mode of operation is 
not wrong or inferior, it just does things in ways that are not 
initially clear. Once this is realized, NVC works very well, is very 
capable of detecting viruses (polymorphic detection is outstanding 
at 100%), and it scans quickly. It should prove to be a good buy. 
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AB Computer Associates claims its product is 'a full-featured Windows 
95 application that detects and removes viruses' . In other words a 
scanner, and both on-demand and memory- resident components are 
provided. Inoculan 's packaging claims '100% protection, 100% cure 
against all macro viruses', and 'Automatic 
Protection Against Virus Attack GUARANTEED' , The latter 
claim is already dead in the water-nothing provides guaranteed 
protection against virus attacks. Anyone who claims that their 
product does is either lying or does not understand the problem. 
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AB The following virus scanner software packages are compared: Alwil 

AVAST ! , Anywhere Antivirus , Cheyenne InocuLAN, Command F- PROT, Cybec 



VET, Data Fellowj^- PROT, DialogueScience DrWeb, Dig^olomons AVTK, 
EliaShim ViruSa^^ESaSS ThunderBYTE, H+BEDV AVE32^^+BEDV AVSCAN, 
IBM Antivirus, Intel LANDesk, Iris antivirus, KAMI AVP, Look 
Software Virus ALERT, Mcafee ViruScan, Norman Virus Control, 
SafetyNet VirusNet, Sophos SWEEP, Stiller Integrity Master, Symantec 
Norton Antivirus, Trend PC-cilin. 
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Norman Virus Control; SafetyNet VirusNet 
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AB VirusALERT is a multifaceted package including a scanner, 

memory- resident anti -virus programs , disinfection features , and a 
disk recovery program. The author reviews its main components. The 
product was provided for review on four 1.44 MB floppy disks, two 
marked "Virus ALERT" , one for macro 
viruses, and one marked "TESTER". 
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AB Find out how to protect your PC against the 7000 known computer 

viruses with the latest Windows 95 ready software. 
CC D5 000 Office automation - computing; D106 0 Security 
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The method includes the steps starting a data processing application 
and deactivating an execution of automatic instruction sequences 
which may be associated with the file. A check or a query on the 
existence of such associated instruction sequences is performed at a 
file operation. 

At detecting such sequence, a message is generated, which 
requests the execution of an instruction fro processing the detected 
instruction sequence . The instruction sequence is processed, and 
depended on the result of the processing, the sequence may be 
deleted or executed by removing the deactivation. 

USE - Esp. for detecting macro-virus in 
word editor, e.g. Winword, Excel, Windows applications. 

ADVANTAGE - Improves protection against viruses 
implemented as word-processor macros. 
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